Mercury Suggestions
Mercurys userids/passwords

Some time ago I downloaded a daemon from you that fixed this very issue for me.  Hope you don't mind me sharing this.  I'm surprised really that David doesn't build this into the software..


At 17:09 2017-11-24, Jim Banks

wrote:

I had been seeing these connections

constantly and when I looked in my log noticed that the same ip has been

connecting to me for weeks trying to hack in (presumably trying different

passwords each time.  Is there any way mercury can be configured to block the ip

after so many failed attempts.  I have them locked out now, but it would be

better if mercury automatically took care of this for

me.


Mercury should block repeated

failed AUTH attempts if they happen within the same SMTP session. This is

usually not the case though. Multiple AUTH failures from the same IP address but

in separate sessions can however, if frequent enough, be caught by my SMTP Event

Daemon. If you would like to have a look at it you can download it here: http://downloads.serieguide.se/SmtpEvt2017.zip

/ Rolf

 

 

<p>Some time ago I downloaded a daemon from you that fixed this very issue for me.  Hope you don't mind me sharing this.  I'm surprised really that David doesn't build this into the software.. </p><p> </p><p style="FONT-FAMILY: Arial Unicode MS">At 17:09 2017-11-24, Jim Banks wrote: </p> <blockquote class="cite" style="FONT-FAMILY: Arial Unicode MS" cite="" type="cite"> <p style="FONT-FAMILY: Arial Unicode MS"><font style="FONT-FAMILY: Arial Unicode MS" size="2">I had been seeing these connections constantly and when I looked in my log noticed that the same ip has been connecting to me for weeks trying to hack in (presumably trying different passwords each time.  Is there any way mercury can be configured to block the ip after so many failed attempts.  I have them locked out now, but it would be better if mercury automatically took care of this for me.</font></p></blockquote> <p style="FONT-FAMILY: Arial Unicode MS"> Mercury should block repeated failed AUTH attempts if they happen within the same SMTP session. This is usually not the case though. Multiple AUTH failures from the same IP address but in separate sessions can however, if frequent enough, be caught by my SMTP Event Daemon. If you would like to have a look at it you can download it here: <a title="" style="FONT-FAMILY: Arial Unicode MS" href="http://downloads.serieguide.se/SmtpEvt2017.zip">http://downloads.serieguide.se/SmtpEvt2017.zip<br title=""><br title=""></a>/ Rolf</p><p> </p><p> </p>

We are currently having a large influx of "hackers" trying to determine a valid userid/password for sending spam... Using v4.74...

Since the mercurys.log does not show the userid/password used(and I can't find any settings for that), if a hacker finds a valid userid/password, I would have no way to know which one I have to change...

Any suggestions?

Matt

 

<p>We are currently having a large influx of "hackers" trying to determine a valid userid/password for sending spam... Using v4.74...</p><p>Since the mercurys.log does not show the userid/password used(and I can't find any settings for that), if a hacker finds a valid userid/password, I would have no way to know which one I have to change...</p><p>Any suggestions?</p><p>Matt</p><p> </p>

The Mercury version currently being beta tested will display details for failed SMTP logins in the log.

 

<p>The Mercury version currently being beta tested will display details for failed SMTP logins in the log.</p><p> </p>

[quote user="mcorrow"]

We are currently having a large influx of "hackers" trying to determine a valid userid/password for sending spam... Using v4.74...

Since the mercurys.log does not show the userid/password used(and I can't find any settings for that), if a hacker finds a valid userid/password, I would have no way to know which one I have to change...

Any suggestions?

Matt

 

[/quote]

Mercury can save the transaction logs for each connection. These detail the login info. Unfortunately, depending on the load on your server there might be 1000's of them. For what it's worth, I have seen a lot of illicit connection attempts during this last week. These are repetitive connections from the same IP or IP range. I usually block the range xxx.xxx.xxx.1 - 254. I've connection attempts from various ranges belong to China, Netherlands, and the UK. Perhaps these are related to the credential stuffing attacks that have been in the media recently?

[quote user="mcorrow"]<p>We are currently having a large influx of "hackers" trying to determine a valid userid/password for sending spam... Using v4.74...</p><p>Since the mercurys.log does not show the userid/password used(and I can't find any settings for that), if a hacker finds a valid userid/password, I would have no way to know which one I have to change...</p><p>Any suggestions?</p><p>Matt</p><p> </p><p>[/quote]</p><p>Mercury can save the transaction logs for each connection. These detail the login info. Unfortunately, depending on the load on your server there might be 1000's of them. For what it's worth, I have seen a lot of illicit connection attempts during this last week. These are repetitive connections from the same IP or IP range. I usually block the range xxx.xxx.xxx.1 - 254. I've connection attempts from various ranges belong to China, Netherlands, and the UK. Perhaps these are related to the credential stuffing attacks that have been in the media recently?</p>
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Pending draft ... Click to resume editing
Discard draft